EMV is Here - Are You Ready?

Shift Happens

Where were you when the October 1 EMV liability shift occurred?

Were you prepared?

Most weren't.

If you have been living under a rock the past few years (or perhaps hiding out on an island somewhere), EMV stands for Europay, MasterCard and VISA. It's the global standard for the inter-operation of credit/debit chip cards", point of sale (POS) terminals, and automated teller machines (ATMs).

While EMV cards were introduced in Europe nearly three decades ago to combat counterfeit and stolen cards, EMV adoption has been slow in the United States due to the large costs associated with upgrading merchant terminals and issuer plastics.

According to PNC Merchant services, chip cards began appearing globally in the mid 90s and can be found in over 80 countries, with more than 1.55 billion EMV-compliant cards being used at 20 million EMV acceptance terminals.

Cards based on the EMV standard use an embedded microprocessor (chip) instead of a magnetic stripe to store cardholder data, and are considered significantly safer than the magnetic stripe cards traditionally used in the U.S.

Typically, in most international transactions, cardholders need to authenticate themselves with a Personal Identification Number (PIN) when using these cards.

In part to encourage adoption - and as a matter of fairness - the new liability rules that went into effect on October 1 shifted liability to whomever in the transaction chain has less fraud protection. For example, if a store hasn't upgraded its terminal and a fraudulent purchase occurs, the merchant would end up footing the fraudulent bill.

EMV Adoption Has Been Slow

Research from The Strawhecker Group (TSG) reveals that only 27 percent of U.S. merchants were EMV-ready by the October liability shift. Unfortunately, most of the noncompliant are likely small business owners who could really be impacted by a single or small number of fraudulent transactions. This could be especially impactful during the upcoming December 2015 holiday season, when only 44 percent of US merchants are expected to have adopted EMV compliant terminals.

Furthermore, according to a new survey from ACI Worldwide, many consumers have not yet received their new chip-enabled cards. Nearly three in five (59 percent) reported that they have not yet received a new chip-enabled card, and 67 percent indicated they have not received information from their credit card issuer or bank explaining what EMV means and how it will affect them.

Our experience at Strategic Resource Management suggests that while some issuers may have their credit cards EMV-compliant, even fewer have EMV-compliant debit cards.

In short, the merchants, customers, and payment industry aren't ready.

Why the Chip?

The chip provides three key elements: 1) it stores encrypted information, 2) validates the card with the POS during each interaction, and 3) performs cryptographic processing. Combined, these capabilities provide the means for secure consumer payments.

How It Works

In order to execute a payment, the chip must connect to a chip reader in an updated terminal.

There are two possible means by which this connection may be made, which are often referred to as contact or contactless. In both cases, insertion into a chip-reading device or utilizing the contactless connection, rather than swiping, means the card does not leave the customer's possession. Chip cards that support both contact and contactless interfaces are referred to as dual interface.

Additionally, the upgraded chip technology offers the ability to require a customer's personal identification number (PIN), to verify his or her identity.

During an EMV transaction, the chip card and the terminal work together to authenticate the card and complete the payment. The POS terminal helps enforce any rules that are set by the card issuer, which are stored on the chip, and determines whether the customer needs to enter a PIN or provide a signature to confirm his or her identity before the transaction is accepted.

Chip cards provide new options of validating a cardholder's identity and confirming acceptance of a transaction by entering a PIN or signing the receipt.

The verification methods are:

Chip and signature – Customers sign to validate their identity, which helps prevent counterfeit card fraud.

Chip and offline PIN – The chip card and the terminal validate the PIN with each other offline, before continuing for authorization, which helps prevent counterfeit, stolen and never received or issued card fraud.

Chip and online PIN – The customer's PIN is entered and sent to the host for validation in real time, which helps to prevent counterfeit, stolen, and never received or issued card fraud.

In addition to accepting EMV contactless chip cards, contactless readers that are EMV-equipped can be designed to also accept contactless chips, a secured element as found in a chip embedded directly into the phone's hardware, an SIM/UICC card provided by your network operator, or an SD card inserted into the mobile phone. A newer option is the use of Host Card Emulation, which is an on-device technology that permits a phone to perform card emulation on a Near Field Communication-enabled device without relying on access to a secure element.

Difference Between Magnetic Stripe Read and EMV Transaction

There is a fundamental difference between a magnetic stripe read and an EMV chip transaction. For magnetic stripe, the card is simply a data store that is read by the terminal and then the card is no longer used. The terminal performs all the processing and applies the rules for payment.

During an EMV transaction, the chip is capable of processing information and actually determines many of the rules for the payment. The terminal helps enforce the rules set by the issuer on the chip. These rules may include enforcing services such as offline data authentication, verifying the cardholder identity via PIN or signature, and online authorization. It is up to the issuing bank to define which of these services are required for the current transaction, via the rules placed on the chip. If the terminal is unable to provide the services requested by the chip, the issuer can set rules that will result in the chip declining the transaction.

Liability Shift

On October 1, Visa, MasterCard, American Express, and Discover shifted the liability for credit, card present fraud to U.S. merchants. This liability applies whether or not the card was swiped, a signature was captured and an issuer authorization was obtained. This shift occurs whether or not merchants implemented EMV acceptance.

Thus, merchants not implementing the new technology will likely see significant fraud losses as criminals seek out terminals that are not up to the new EMV standards. According to acquirer Chase Paytech, While overall fraud losses in every region drop – sometimes significantly – immediately after EMV rollout, industry reports have noted a trend that fraud losses tend to increase in less secure environments, especially card not present (CNP), which includes online and phone initiated payments.

As part of the industry's EMV rollout plan, gas station owners will have an additional two years to migrate automated fuel dispensers to EMV before the liability switch occurs, and thus it's possible that much of the fraud will, at least temporarily, shift to gas stations.

It's also worth noting that if a retailer's point-of-sale systems are EMV-ready, but the card-issuing bank's cards are not EMV-compliant, then the cost of any fraudulent transactions associated with those cards would be borne by the bank.

If both the card and terminal have been EMV-certified, fraudulent transactions should not be occurring.

There are also some positive implications for merchants.

For example, most EMV-enabled POS equipment will include contactless technology, allowing merchants to accept contactless and mobile payments that will provide a higher level of convenience for customers, and could speed up checkout times. Some new smart chip-enabled POS devices could also help drive loyalty and repeat business by pushing offers that are sent to and redeemable on mobile devices.

Merchant Impact

In most countries, chip cards that require a PIN are the norm. However, in the United States, most issuers appear to be configuring their EMV cards to allow for a signature to verify the cardholder. From the merchant and cardholder perspective, nothing changes; the terminal will determine whether the card requires a PIN or signature, and the employee simply follows the prompts. When a signature is required, a signature line is printed on the receipt and a signature must be obtained.

The concern is that the real value of the more secure EMV transaction is only achieved when a PIN is requested. In the current rollout, Chip and Signature only protects from counterfeit card fraud and not lost/stolen, never received, or issued card fraud, which is achieved with the more secured Chip and PIN.

The move to Chip and Signature is likely due to a lack of desire to alter existing cardholder behavior by introducing PINs, and an attempt to limit the cost of EMV for merchants by not requiring the purchase of an EMV-compliant PIN pad.

However, because issuers now own this liability, the only shift that is reasonably possible is to the merchant, and then only if the merchant fails to implement Chip and PIN and then accepts a card that is capable of a Chip and PIN transaction.

Thus, while total fraud may not significantly decrease, it will be shifted to the merchants. If merchants are concerned about eliminating the risk of increased fraud, they should spend the extra money on an EMV-compliant terminals and PIN pads to avoid the assumption of any shift in fraud liability.

Additional Considerations: Electro Static Discharge

EMV cards make use of a patch of gold contacts that the POS terminal makes electrical contact with. This electrical conductivity makes some chips sensitive to electrostatic discharge (ESD).

ESD, commonly known as static electricity, is often created when two materials rub against each other. Common sources are clothing against chairs, shoes against carpet, and tape or plastics rubbing against other plastics.

EDS can permanently damage an EMV chip's circuit, or cause errors in the processing of a payment. While modern cards are typically designed to be protected against damage from ESD, certain situations can lead to an increase in chip failures. Dry, cold air, like experienced in the winter, can cause an increase in ESD-related failures, as can some terminals.

To avoid such issues, it's advisable to take precautions like using materials around card readers that can dissipate static electricity, and training employees on the risks of ESD.

If your financial institution suddenly experiences a high number of chip failures and/or requests for card replacements, ESD may be the cause.

Fortunately, wireless communications used by Near Field Communication-enabled devices are not as sensitive to ESD as wired communications because wireless communications do not require electrical contact. However, these are somewhat sensitive to some specific radio frequencies and antenna failures.

Summary

While EMV adoption has been slow, it's finally here. EMV adds additional security and new cardholder verification options. While total U.S. industry fraud should be reduced, there's a liability shift that has occurred and could impact merchant costs. EMV also added some technical considerations that didn't previously exist, such as the use of the chip and contactless technologies in loyalty programs, and electrostatic discharge leading to potential chip failures.

In short, EMV is a game changer for the U.S. payments industry.

Are you ready?

Lawrence Pruss
Senior Vice President
Strategic Resource Management, Inc. (SRM)
5100 Poplar Ave., Suite 2500
Memphis, TN 38137
C 814.934.8954
T 800.748.2577
www.srmcorp.com